TECHNICAL EXPERIENCE SUMMARY

Sandra Appel has more than 20 years of SAP Security Strategy and Security Project Management and 10 years of experience with Virsa/SAP GRC Reporting and Security Role Modifications. This background includes Global SAP Security Strategy 26 full-cycle SAP Implementations 14 engagements required Business Process experience Security Role revisions to obtain Sarbanes-Oxley Segregation of Duties SOD compliance using SAP GRC/Virsa Software Central User Administration CUA , 17 engagements re-engineering Security Roles to eliminate SOD conflicts for the client Controller or Auditors 12 ECC 6.0 engagements 1 Upgrade , SAP Security for BW/BI, CRM, MDM, SRM, and HCM systems.

PROFESSIONAL AND BUSINESS EXPERIENCE:

SAP Security Consulting

Confidential

• Responsible for the analysis and correction of SAP System settings, proper assignment of sensitive Basis, Development, Finance, and Human Resources transactions, and the identification and removal of SOD conflicts in Orion Carbons technical and end user Security Roles. Evaluation of the existing SAP Security Roles to restrict the use of sensitive transactions and identify Sarbanes-Oxley SOX Governance, Risk and Compliance issues. Management of the discussions with Business Process Owners to define remediation efforts, and provide recommendations for Security Role modifications.

Confidential

• This short-term contract was estimated to be two weeks in duration. The goal was to provide Security Role restrictions to segregate two plants which had recently been sold and their associated warehouses. It was important to prevent the recently-sold plants from seeing Trinity Packaging Company data and restrict them entirely to their own data. Because of the short time frame before Go-Live it was not possible to handle this restriction by the usual Company Code methods, and the SAP Security consultant was responsible for identifying other methods of separating the data such as authorization group restriction, etc. We were able in four days to complete the desired level of data restriction and the role modifications which were necessary to segregate the recently-sold plants and warehouses and restrict them to their own data.

Confidential

• As an experienced third-party Security consultant to a major Governance, Risk and Compliance Consulting firm, Sandra advised and supported the Rowan Companies corporate Security Team Lead in remediation of Segregation of Duties conflicts in the current Security roles. User Administration was handled through CUA. Extensive revision of generic Security Roles was accomplished during this short-term contract. End User Security roles were also revised to expedite Business Owner approvals and streamline the role assignment process.

Confidential

• Nexeo Solutions is a spin-off from Ashland Distribution, and this project was a conversion from a corporate SAP system to an independent SAP system for Nexeo Solutions. The Nexeo Solutions Security Team Lead became ill two weeks before the Nexeo conversion date and the newly hired Security Production Support Manager was not yet available to assume this position. Sandra was called two weeks before the Go-Live date by a major GRC Consulting firm to assume direct responsibility for all Security Role revisions and End-User issues and to carry Nexeo Solutions through their Go-Live process. Extensive work with corporate auditors and corporate executives during this critical time frame made this a challenging opportunity.

Confidential

Manager, SAP Security Team Lead

• Evaluated and assessed the completed Release 1 Security environment, Security Strategy, evaluation of current Security Role Design and Build. Response to 2011 Security issues determined by the RLC External Auditors' comments Led the definition, design and documentation of technical Security environments. Promoted a clear and consistent business vision through technical Security architecture

Confidential

SAP Retail Project

• SAP G5 Security Lead to provide management, consulting and analytical services. Sandra reported to the SAP Project Manager and was responsible for assisting in the coordination of Security Planning, Security Strategy, key technical activities for designing, building and assisting on testing security roles. Sandra's responsibilities included: - Management of key Security activities. - Providing security training to the less experienced Security team members. - Guidance on SAP Security Best Practices. - Management of the Design and Development of Security Roles, - Supervision of the Functional Validation Testing and management of Defect resolution.

Confidential

• - Global Implementation of ECC 6.0, BW, HCM, PI, MDM and SRM systems with modules for FICO, Procurement, HCM, SD, BW, SCP, MDM, and BCP using CUA for User Administration. - Security Design and Development management for Release 1 - Europe and Latin America. - Management of FICO, Procurement, SCP, and MDM Security Team Design and Build. - Extensive contact with client Security Controls Management. - SAP GRC, removal of critical transactions and SOD conflicts from Release 0 and Release 1 Project Team roles and End User roles. - Assisted the Global Technology Security team with guidance and quality review to ensure that a quality solution is designed and built. - Provided experience and thought leadership in the SAP Security area. - Security Manager with 26 SAP R/3 Full Life Cycle Implementations and experience on multi-release projects to manage multi-release and wave project in the Security space. - Extensive SAP Security implementation experience 20 years and deep skills.

Confidential

• Responsibilities: - Interviewed, selected and managed the Security efforts of one Singapore Security resource, two Philippine Security resources, one traveling GRC Security resource, and four other on-site Security resources for Release 5 and Release 6 countries - Australia, China, Egypt and Vietnam. - Coordinated and directed the U2K2 Roles and Authorizations efforts of the Accenture Philippine Delivery Center Development and Testing teams. - Defined and prepared the presentation that convinced U2K2 Regional executives to eliminate the individual country requirements for per-country Risk Management Frameworks and GRC Rule Sets and develop a Regional Risk Management Framework and Regional GRC Rule Set totally separate from the SAP Security R A development. The Regional SAP Rule Set is used to identify SOD conflicts within the Release 5 and Release 6 Security roles but is no longer considered to be the responsibility of the Accenture Roles and Authorizations Security team. - Managed and reported Security operations and statistics for the Regional Unilever management, Regional Process Leads and PMO meetings. - SAP-GRC Risk and Remediation for Release 5, Release 6, and previous country implementations. - Worked closely with the Regional Security Director, the Unilever Risk Manager, and the IT Security Manager to ensure that Release 5 and Release 6 SAP Security activities fit within the Unilever Regional frameworks and met the U2K2 standards.
• -Extensive business travel to Shanghai, China Sydney, Australia Alexandria and Cairo, Egypt and Ho Chi Minh City, Vietnam.
• - The China and Australia New Zealand implementations were the smoothest in Unilever's four year SAP history.